How to Use Trusted Public CAs in Android & iOS Apps

Learn How to use Trusted Public CAs in Android & iOS Apps to prevent MitM attacks.

This KB article describes how to implement Appdome’s Trust World Wide Public CAs in any Android or iOS app. This feature will designate a list of trusted public CAs to the mobile device’s trust store which will be verified by Appdome when a. mobile app establishes a TLS session with a server.

About Appdome’s Trust World Wide Public CAs feature

Mobile devices come with an OEM list of built-in public certificate authorities (CA). However, certificates and CAs can be altered by hackers or installed on devices and apps in malicious ways (without anyone knowing). This makes it hard to know if the list of CAs currently installed on the device can actually be trusted (because they could have been altered). Using Appdome, you can solve this problem. Appdome maintains an up to date list of Public trusted CA(s), which is continuously updated with the various worldwide trusted CA authorities (such as Verisign, Go-Daddy, etc). Appdome inspects certificates and CAs at runtime to ensure that alterations have not been made.

When an SSL/TLS session is initiated with a mobile app, Appdome compares the CAs currently installed on the mobile device against the updated list of trusted CAs that Appdome maintains. If the CAs on the device do not match the trusted CA list maintained by Appdome, the session is dropped.

We hope you find it useful and enjoy using Appdome!

3 Easy Steps to Use Trusted Public CAs in Android and iOS Apps

Please follow these 3 easy steps

Upload an Android or iOS App to Appdome’s no code security platform (.apk, .aab, or .ipa)
From the “Build” tab, click Security, then Secure Communications and switch-ON Trusted Session.
- (optional) Fill out the custom message that is displayed in case of a security event.
- (optional) Toggle the Threat-Events^TM switch, if your wish that your app will handle Appdome events.
Click Build My App

Trust World Wide Public CAs will be automatically enabled on your app

Appdome’s no-code mobile app security platform offers mobile developers, DevSec and security professionals a convenient and reliable way to protect Android and iOS apps. When a user clicks “Build My App,” Appdome leverages a microservice architecture filled with 1000s of security plugins, and an adaptive code generation engine that matches the correct required plugins to the development environment, frameworks, and methods in each app.

Congratulations! You now have a secured mobile app.

How to Sign & Publish Secured Mobile Apps Built on Appdome

After successfully securing your app using Appdome, there are several available options to complete your project, depending on your app lifecycle or workflow. These include:

Signing Secure iOS and Android apps
Customizing, Configuring & Branding Secure Mobile Apps
Deploying/Publishing Secure mobile apps to Public or Private app stores

Or, see this quick reference Releasing Secured Android & iOS Apps built on Appdome.

Prerequisites for using Appdome Trusted Session

Appdome account. If you don’t have an Appdome account, click here to create an account.
Mobile application (.ipa for iOS, or .apk or .aab for Android)
Signing credentials (e.g., signing certificates and provisioning profile)
Private CAs

No Coding Dependency

Using Appdome, there are no development or coding prerequisites to build secure apps. There is no SDK and no library to manually code or implement in the app. The Appdome technology adds the relevant standards, frameworks, and logic to the app automatically, with no manual development work at all.

How Do I Learn More?

To learn more you can read this KB article on Appdome Trusted Session.

To zoom out on this topic, visit Appdome for Mobile App Security on our website.

Or request a demo at any time.

Thank you!

Thanks for visiting Appdome! Our mission is to make mobile integration easy. We hope we’re living up to the mission with your project. If you don’t already have an account, you can sign up for free.

Alan Bavosa